[Asterisk-Users] asterisk@home scary log

Karl H. Putz kputz at columbus.rr.com
Thu Feb 10 08:56:53 MST 2005 

I had the system setup to allow http and ssh.

The hack came in through ssh.

>-----Original Message-----
>From: asterisk-users-bounces at lists.digium.com
>[mailto:asterisk-users-bounces at lists.digium.com]On Behalf Of Christian
>Moller
>Sent: Thursday, February 10, 2005 10:39 AM
>To: Asterisk Users Mailing List - Non-Commercial Discussion
>Subject: Re: [Asterisk-Users] asterisk at home scary log
>
>
>Hi,
>I've also been a little worried about the security. How did they
>connect to
>your system? Through telnet or what?
>Since I've disabled all such services.
>Best,
>Christian
>
>
>----- Original Message -----
>From: "Karl H. Putz" <kputz at columbus.rr.com>
>To: "Jean-Louis curty" <jlcurty at gmail.com>; "Asterisk Users Mailing List -
>Non-Commercial Discussion" <asterisk-users at lists.digium.com>
>Sent: Thursday, February 10, 2005 4:18 PM
>Subject: RE: [Asterisk-Users] asterisk at home scary log
>
>
>> You've likely been hacked.
>>
>> I have recently had a similar incident where a hacker guessed my root
>> password (MY BAD) and set up an ebay password skimming site.
>>
>> I noticed it when I got similar non-deliverable email messages.
>>
>> Obviously, first change your password and then look at the /var/www/html
>> directory and see if there are unwelcome pages there.  Also be sure to
>> check
>> who is logged in currently.  I caught the (*%#@ SOB logged in and bounced
>> the bastard.
>>
>> For what it's worth, the hacker's IP address was: 81.12.141.150.
>>
>>
>> Karl Putz
>>
>>>-----Original Message-----
>>>From: asterisk-users-bounces at lists.digium.com
>>>[mailto:asterisk-users-bounces at lists.digium.com]On Behalf Of Jean-Louis
>>>curty
>>>Sent: Thursday, February 10, 2005 9:10 AM
>>>To: Asterisk Users Mailing List - Non-Commercial Discussion
>>>Subject: [Asterisk-Users] asterisk at home scary log
>>>
>>>
>>>Hi everybody,
>>>
>>>I'm testing asterisk at home 0.4,
>>>looks great so far
>>>
>>>I was working when I have been alerted by a bip comming from the * pc...
>>>
>>>I connected a screen to it and saw that there was a message which
>>>looked like :
>>>
>>>
>>>Message from syslogd at asterisk1 at Thu Feb 10 09:01:00 2005 ...
>>>asterisk1
>>>
>>>
>>>
>>>so I stopped asterisk, type mail and got a strange mail saying that
>>>user xxxx at yahoo.com could not be reached and body was like if it was
>>>the result of commands ifconfig etc
>>>
>>>unfortunally I don't have the message anymore but I went to the log
>>>
>>>and saw this
>>>Feb  9 20:30:07 asterisk1 sendmail[10088]: j1A1U7mf010088:
>>>from=<root at asterisk1.local>, size=329, class=0, nrcpts=1,
>>>msgid=<200502100130.j1A1U7Q1010071 at asterisk1.local>, proto=ESMTP,
>>>daemon=MTA, relay=asterisk1.local [127.0.0.1]
>>>Feb  9 20:30:07 asterisk1 sendmail[10071]: j1A1U7Q1010071:
>>>to=paym3now at gmail.com, ctladdr=root (0/0), delay=00:00:00,
>>>xdelay=00:00:00, mailer=relay, pri=30049, relay=[127.0.0.1]
>>>[127.0.0.1], dsn=2.0.0, stat=Sent (j1A1U7mf010088 Message accepted for
>>>delivery)
>>>Feb  9 20:30:07 asterisk1 sendmail[10077]: j1A1U7CY010077:
>>>to=paym3now at gmail.com, ctladdr=root (0/0), delay=00:00:00,
>>>xdelay=00:00:00, mailer=relay, pri=30068, relay=[127.0.0.1]
>>>[127.0.0.1], dsn=2.0.0, stat=Sent (j1A1U7Ns010089 Message accepted for
>>>delivery)
>>>Feb  9 20:30:17 asterisk1 sendmail[10094]: j1A1U7Ns010089:
>>>to=<paym3now at gmail.com>, ctladdr=<root at asterisk1.local> (0/0),
>>>delay=00:00:10, xdelay=00:00:10, mailer=esmtp, pri=30348,
>>>relay=gsmtp171.google.com. [64.233.171.27], dsn=2.0.0, stat=Sent (OK
>>>1107998984)
>>>Feb  9 20:30:17 asterisk1 sendmail[10093]: j1A1U7mf010088:
>>>to=<paym3now at gmail.com>, ctladdr=<root at asterisk1.local> (0/0),
>>>delay=00:00:10, xdelay=00:00:10, mailer=esmtp, pri=30329,
>>>relay=gsmtp171.google.com. [64.233.171.27], dsn=2.0.0, stat=Sent (OK
>>>1107998984)
>>>
>>>
>>>the thing is i did not send any message to paym3now at gmail.com nor to
>>>somebody at yahoo,
>>>
>>>
>>>anybody got the same ? what can I do ??
>>>
>>>thanks
>>>jl
>>>_______________________________________________
>>>Asterisk-Users mailing list
>>>Asterisk-Users at lists.digium.com
>>>http://lists.digium.com/mailman/listinfo/asterisk-users
>>>To UNSUBSCRIBE or update options visit:
>>>   http://lists.digium.com/mailman/listinfo/asterisk-users
>>>
>>
>>
>> _______________________________________________
>> Asterisk-Users mailing list
>> Asterisk-Users at lists.digium.com
>> http://lists.digium.com/mailman/listinfo/asterisk-users
>> To UNSUBSCRIBE or update options visit:
>>   http://lists.digium.com/mailman/listinfo/asterisk-users
>
>_______________________________________________
>Asterisk-Users mailing list
>Asterisk-Users at lists.digium.com
>http://lists.digium.com/mailman/listinfo/asterisk-users
>To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>

More information about the asterisk-users mailing list